SonicWall HA Deployments and Licensing Explained

A technical guide on HA deployments and licensing written by our Senior Network Security Engineer.

 

High Availability

SonicWall has three kinds of High Availability detailed below.

SonicWall High Availability is available on all SonicWall UTM Appliances apart from the Soho or Wireless units.

Only the Primary SonicWall needs to be configured (in some cases you may need to log in to the Backup appliance and turn off the PortShielding feature).

The Primary SonicWall is the only appliance that needs to have the Security Services Licenses on.

When the appliances have been registered correctly in the same MySonicWall account they will share the licenses across both appliances.

All settings and licensing are synchronised across both Appliances.

 

Stateless (Active/Passive)

Stateless High Availability is the most basic kind of HA, when the Active SonicWall appliance fails the Idle appliance becomes the Active appliance dropping all active connections and then renegotiating the connections.

 

Stateful (Active/Passive)

With Stateful High Availability, when the Active SonicWall appliance fails the Idle appliance becomes the Active appliance caching most of the active connections without the need to renegotiate the connections due to the use of the Virtual MAC feature.

 

Below is a list of all the connection types that with be synchronised as the Active appliance fails to the Idle unit when it becomes active.

 

 

Active/Active DPI (Active/Passive + Active/Active for DPI Services) *

Active / Active DPI works the same as Stateful HA but with the extra ability to share the Deep Packet Inspection traffic across both appliances. The firewall, NAT, and other modules are processed on the active firewall

The default settings are as below based on Traffic or CPU load of the Primary Appliance; however this can be manually set under the Internal Settings page to change the threshold or to force all the DPI traffic to be offloaded to the Idle Appliance.

 

Active/Active DPI Default Settings

 

SonicWall Appliance Model and Licensing

 

Model

Stateful HA

A/A DPI

Clustering

TZ 300

N/A

N/A

N/A

TZ 400

N/A

N/A

N/A

TZ 500

Expanded License

Stateful HA Upgrade License

N/A

N/A

TZ 600

Expanded License

Stateful HA Upgrade License

N/A

N/A

NSA 2600

Expanded license

HA license

N/A

N/A

NSA 3600

Expanded license

HA license

N/A

Expanded

From 6.2.9 Firmware

01-SSC-7091

NSA 4600

Included

N/A

Expanded

From 6.2.9 Firmware

01-SSC-4037

NSA 5600

Included

Expanded

01-SSC-4480

Expanded

01-SSC-4480

NSA 6600

Included

Expanded

01-SSC-4481

Expanded

01-SSC-4481

SM 9200

Included

Included

Included

SM 9400

Included

Included

Included

SM 9600

Included

Included

Included

SM 9800

Included

Included

Included  From 6.2.7.7 Firmware

 

For High Availability Configurations guides see links below.

 

Tips for High Availability (HA) setup

How to Replace a Primary or Secondary High Availability (HA) unit

Associating an Appliance at First Registration on MySonicWall for High Availability

 

* Not to be confused with Active/Active Clustering where in some scenarios both or more appliances have to be fully licensed.

 

SonicWall HA Clustering

  • HA Clustering is where each firewall (Node) is processing traffic there are several deployment methods and caveats.
  • A Cluster Node can be either a single Appliance or Two Appliances in Stateful HA or Active/Active DPI.
  • There can be a Maximum of up to 4 Cluster Nodes (8 Appliances in total)
  • You would choose this method for extra redundancy and throughput.
  • This method requires the use of additional network devices for load balancing using VRRP.
  • For the Full Mesh option utilising the redundant ports it is recommended to use different colour cables to avoid confusion.

 

Licensing Cluster Scenarios

  • The licensing is dependent on the configuration e.g. in a deployment of Active/Active two unit cluster as shown in the image below both appliances need to be fully licensed **.
  • In an Active/Passive HA Four Unit Cluster where each Node Cluster comprises of a Primary and Backup appliance just the Primary Appliances need to be fully licensed **.
  • In an Active/Active DPI HA Four Unit Cluster where each Node Cluster comprises of a Primary and Backup appliance just the Primary Appliances need to be fully licensed **.

 

** from Firmware version 6.2.9 firmware the NSA 3600 and 4600 are supported for Active/Active Clustering and Active/Active DPI, all devices from the NSA3600 – NSA5600 require the Expanded license for the Active/Active DPI and Clustering options.

 

 

Active/Active Two Unit Cluster

The most basic deployment is the Active/Active two‐unit cluster as shown below, where both appliances are fully licensed and processing traffic.

 

The configuration is managed on the Master Cluster Node (Cluster Node 1) if this fails then all traffic will be processed on the Cluster Node 2, This method involves no Backup appliances in the individual Cluster Nodes so is therefore  the Active/Active failover is Stateless so all network connections will be reset and VPN tunnels will be renegotiated.

 

Active/Active Two Unit cluster

 

 

For larger deployments, the cluster can include up to eight firewalls, configured as four Cluster Nodes (or HA pairs). Within each Cluster Node, Stateful HA keeps the dynamic state synchronized for seamless failover with zero loss of data on a single point of failure. Stateful HA is not required, but is highly recommended for best performance during failover.

 

 

Active/Active DPI HA Four Unit Cluster

 

Active/Active DPI HA Four Unit Clustering

 

 

Feature Caveats

When Active/Active Clustering is enabled, only static IP addresses can be used on the WAN.

 

The following features are not supported when Active/Active Clustering is enabled:

  • DHCP Server
  • L3 Transparent Mode
  • L2 Bridging / L2 Transparent Mode
  • Dynamic DNS
  • Wire Mode

 

The following features are only supported on Virtual Group 1:

  • SonicWall GVC
  • SonicOS SSL VPN
  • IP Helper

 

For more information on SonicWall Clustering see here:

http://help.sonicwall.com/help/sw/por/6950/26/2/4/content/HA_AAClusteringConfig.htm

 

 

 

 

Copyright 2018 NetThreat Ltd

Attachment: SonicWall_HA_Deployments_Explained.pdf